The Assessment CyberSafe Assessment is a free tool to help you find cybersecurity vulnerabilities in your business. You will get real personalized results with tools and suggestions for strengthening security in your business. ASSESSMENT SECTION 1 SECTION 2 SECTION 3 Section 1: Identifying 1. My business can identify what type of confidential data (identification numbers, address, credit card numbers, social security, etc.) is stored in my business. Yes No Tip: The first step to secure your data is knowing what cybercriminals want. Personal information is protected by law and can cause financial hardships on your business if it’s ever breached. Sensitive information you need to protect includes identification numbers, address, credit card numbers, social security, etc. 2. My employees have been trained to identify security risks such as phishing emails, infected devices, spyware, etc. Yes, employees have been trained. No, employees have not been trained. Tip: It is not uncommon for an employee to click on a link, or download an attachment they believe is harmless, only to discover they have been infected with a virus or something worse. The CyberSafe program has a quiz available to all small business owners with social engineering training. It is completely free and will issue your employees a certificate of completion. 3. My employees have been trained in procedures to take when they identify a security risk or data breach. Yes, employees have been trained. No, employees have not been trained. Tip: One of the common origin causes of data breaches in small businesses are employees. But they can also be the front line of defense when it comes to protecting client information. Train your employees about overall security policy, more importantly, help them understand the security measures of the business. Set up a confidentiality agreement for your employees to sign, and state clearly the consequences of violating the agreement. 4. My employees have been trained to keep software up to date. Yes No Tip: Updates can be a huge pain, but they are necessary. Updates contain critical security patches that will protect your computer from latest discovered threats. Without these updates, it can put your data and computer at risk. It is best to set computers to automatic updates. 5. My business has a list to identify all devices in the organization. Yes No Tip: It is essential to identify devices that you utilize in your business . Each device you own is a security risk due to fact that they can connect to the internet and interact with other devices. Having a list of all your devices will help you identify the possible port of business data breach. 6. My business has identified non-essential applications and removed them from business devices. Yes No Tip: Non-essential applications or programs consume your computer resources. These application or programs can take up your computer storage, increase how long your pc takes to boot, waste RAM, etc. More importantly, they can be platforms for malware to penetrate your computer or network. Therefore, it is always a good idea to remove non-essential applications. Section 2: Protecting 1. All staff members have their own logins for computers. Yes No Tip: Having different logins for each employee will restrict employees from snooping around unauthorized sensitive data. 2. Employees passwords are at least 8 characters long, with upper case letters, lower-case letters, numbers, and symbols. Yes No Tip: Strong passwords are the most common defense against unauthorized access. A strong password should be a mix of upper and lowercase letters, numbers, and special characters. Make sure to use different passwords for different account. If possible, use 2 factor authentication. 3. All staff members change passwords periodically. Yes No Tip: Strong passwords are the easiest thing you can do to strengthen your security. Make sure to change them at least every 60-90 days. 4. Business computers time-out after a duration of inactivity. Yes No Tip: It is important for computers to “time-out” or “sleep” after a duration of inactivity, because this time period leaves the computer open for anyone to see. That means anyone can come and snoop around confidential data. 5. My employees can access company files remotely. Yes No Tip: Try to avoid having employees access company files remotely especial if it is protected personal information. This will lower the risk of losing business data due to employee carelessness. It could be the case that employees decide to access these files over wifi or they are accessing them from a shared computer. Both of these methods 6. My employees use business devices for personal use. Yes No Tip: Letting employees use business devices for personal use can lead to a number of consequences such as data leakage, lost devices, and bigger malware threats. Additionally, do not let employees connect personal devices to the main business Wi-Fi, for personal devices usually lack adequate protection from snooping. Employee's personal device can let cybercriminals in while connected to business Wi-Fi. 7. My employees have software to send confidential data safely when traveling or using public Wi-Fi. Yes No Tip: Letting employees use public Wi-Fi can be a great risk for any business. When your employee connects to an open WI-FI network like Starbucks, the network is generally unencrypted. You can tell its open network because there is no password when connecting. Therefore, your unencrypted network traffic is visible to everyone in range. Cybercriminals can see what unencrypted web pages you are visiting and even what you are typing! If your employee is going to have to use public WI-FI make sure to provide them with tools to navigate safely through public Wi-Fi. One tool that you can provide them with is a VPN. 8. My business encrypts sensitive business information. Yes No Tip: Encryption makes it more difficult for criminals to interpret personal client information if your device or files are ever stolen. 9. My business has anti-virus software for all business devices and a schedule is set for unknown risk detection. Yes No Tip: Antivirus software are important for your network security. They are one of the last line of defense if an unwanted attack gets through your network. Employees usually do not run anti-virus software update on their own. The best practice is to set the anti-virus to automatic updates. Out-of-date antivirus software can have consequences to your security, for new updates release patches for new threats.. 10. My business backups data at least once a week, and has as a copy backup of data in a remote location. Yes No Tip: Backup data on a regular basis. This might give you a piece of mind if your data is stolen or compromised. Usually data should be backed up weekly, and if needed every night. Backup your data in a remote location in case all your computers or devices are ever compromised. This will allow you to keep the business running if all your systems or devices are all compromised on site. Section 3: Responding 1. My business has a list of legal entities to contact in the event of a cyber-attack. Yes No Tip: You should have a list ready to contact legal entities in the event of a cyberattack. Breach notifications are expected to be sent to customers as soon as possible according to the law. Delays will only cause your small business more money. 2. My business has a detailed list of who operates what business devices. Yes No Tip: Lost devices are a major risk for any business. A missing phone, tablet, or laptop raises the possibility of an outsider accessing sensitive information about customers or employees. This information can sometimes be used against your business in court. Having a detailed list of who operates what device will help your business respond to the incident faster. 3. My business has a recovery plan in place in the event of a cyber-attack. Yes No Tip: Businesses create and manage large amounts of electronic data. This data is important and sometimes vital to continued operation of the business. The impact of data loss due to hacking, malware, employee error, hardware failure can be significant. A recovery plan will help your business restore its operations as quickly as possible. More importantly, it can reduce premiums on cyber risk insurance. 4. My business has designated personnel to manage recovery in the event of a cyber-attack. Yes No Tip: The majority business operation and records are usually on a computer nowadays. if the computer is breached, and leaking data, it is possible your business will be facing a class action lawsuit for failing to protect customer or employee data. Having someone to manage recovery will significantly help you reduce cost and keep business running. This can be or include an employee, lawyer, and third parties. 5. My business can notify customers if their confidential information has been or might have been stolen as soon as possible to meet state regulations. Yes No Tip: It is the business obligation to notify customers if their confidential information has been or might have been stolen to meet state regulations. If your business does not have a contingency plan, it is more likely to result in higher cost of the incident. 6. My business knows state regulations for protected data. Yes No Tip: Business owners should have basic knowledge of law and regulations regarding data protection, so to have a precautious plan setup. In reality businesses pay for lawsuits and many other costs when essential data is compromised, so it is better to protect it now then to pay thousands in damages later. 7. My business knows that regular business liability insurance does not cover cyber-attacks. Yes No Tip: Cyber risk insurance is different from business liability insurance. Cyber risk insurance protects business against data breach. According to a recent study done by Ponemon Institute the average cost of a single stolen record is $250. That means if your cybercriminal accesses only 100 files of customer data, the cost to your small business is $25,000. 8. My business has regulations in place to retrieve all sensitive data from employees leaving the business. Yes No Tip: Sometimes there are employees who have malicious intentions and steal sensitive information. Make sure of an official channel for employees to report suspicious behavior from coworkers. State your expectations in the employee handbook for best results. 9. My business knows how to preserve files for further investigation in the event of a cyber-attack. Yes No Tip: In the event of a breach your business will have to contact a forensic computer examiner. Make sure you know what steps to take to stop a hacker from compromising more files, and more importantly how to preserve those evidence for the forensic computer examiner. Your lawyer will need all the details to represent you in case of any lawsuits. DEMOGRAPHICS SECTION Demographic: The following questions will not impact your score, but will help us meet your business needs. 1. How many employees does your business have? 5 or less 5 to 15 16 to 30 31 to 50 51 to 75 75-100 100+ 2. Which industry is your business in? Restaurant Services Retail Health and Beauty Construction Manufacturing Science and Technology Gym Other 3. How long has your business been opened? 1 year or less 2 to 5 years 6 to 10 years 10+ years 4. Has your business been harmed by a cyber-attack in the past? Yes No I do not know 5. Any comments or suggestions? Question 1 of 1 Back Next Question 1 of 1
